none
Sync existing accounts through MIM - synchronization rule not applied RRS feed

  • Question

  • Hi,
    i have a project where I want to synchronize AD accounts with already existing objects in the connected AD system. I have created an inbound rule(which import all objects from the source AD to the MV) and one outbound rule which export the objects to the target AD. In the Outbound synch rule I have disabled the "Create External System Resource" settings(with this i can avoid the creation of the already existing account) and set the accountName=sAMAccountName RelationShip Criteria.

    When I try to synchronize the accounts  between the Metaverse and the MIM/FIM Database the objects are getting the ERE attributes but unfortunately these are in Not Applied state. Do you have any idea what could be the problem?

    Is it possible to create an Outbound Synchronization Rule which will create all non-existing account in the destination and just update the accounts which already exist without try to create them again?

    Outbound Synchronization Rule :

    I am totally out of idea now...

    Thank you in advance.

    BR superbutt

    Monday, March 27, 2017 10:35 AM

Answers

  • Hi,

    with the new rule synced to MV you need to run a Full Sync on the destination MA first so that the objects can be joined by the rule assuming that you already have them all present in the destination MA connector space.

    If thats not the case run a Full Import before the Full Sync on the Destination MA.

    Once they are joined, MIM should know not to provision them again.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by supebutt007 Wednesday, March 29, 2017 10:36 AM
    Tuesday, March 28, 2017 12:21 PM

All replies

  • Hi Superbutt,

    There could be several causes. First check that you have Synchronization Rules enabled in the Sync engine, see attached image.

    BR,

    Leo


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Monday, March 27, 2017 12:31 PM
  • Hi Leo,

    thank you for your answer. The Synchronization Rule Provisioning settings is enabled.

    The synchronization from the source AD to the destination AD is working when the user object is not existing in the destination AD. In this case the object will created in the destination environment without any problem. IF the account already exists with the same samaccountname I got the error message during the synch that the account already exist thatswhy cannot provision the object.

    The actual configuration of my Outbound synch rule(it is able to create new users but cannot update existing objects):

    BR Tamas

    Monday, March 27, 2017 2:03 PM
  • This error message is one of the downsides of using sync rules. To work around it, turn off Sync Rule Provisioning in the Options dialog, run a Delta Sync on the AD MA which will allow all the objects to Join, and then turn Sync Rule Provisioning back on.

    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Proposed as answer by Leo Erlandsson Tuesday, March 28, 2017 6:43 AM
    Monday, March 27, 2017 9:35 PM
    Moderator
  • Hi,

    Brian is right. You'll work around the error message and get a join by turning this off in this case.

    Br,

    Leo


    Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

    Tuesday, March 28, 2017 6:45 AM
  • With the recent configuration I got the following error:

    As you suggested I disabled the Synchronization Rule Provisioning in the Options window, run a Delta Sync on the Customer ADMA, run an Export on the Customer ADMA to update the already existing account in the destination AD with the the source account which has all new poperties already in the MV) but nothing happend. At least the error disappeared:

    Both objects(source and destination) have the same samaccountname. As defined in the Outbound Synch Rule Relationship Criteria.

    It seems to be if I disable the Synchronization Rule Provisioning this two account cannot be linked with each other... :/

    Tuesday, March 28, 2017 8:09 AM
  • Hi,

    if I see that right from one of your first screenshots, you are using an outbound only sync rule, right ?

    Since join or project only applies on Inbound Syncs you need to change your rule to a combined inbound/outbound sync rule or have a seperate inbound sync rule but with no attribute flows just for joining.

    /Peter

    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    Tuesday, March 28, 2017 10:46 AM
  • Hi Peter,
    I changed my outbound sync rule to outbound/inbound sync rule with no inbound attribute flow. After that I imported it to the MV and run an export to update the already existing object in the destination AD(Customer AD). I tried it with "Enabled and Disabled Synchronization Rule Provisioning" but I got the same result(if enabled I got "The specified account already exists" error message if disabled nothing happen, no sync, no update...).

    Maybe I miss something... I am sure the MIM is able to synch 2 different account with the same sAMAccountName based on the Synch Rule Relationship Criteria...

    Tuesday, March 28, 2017 11:30 AM
  • Hi,

    with the new rule synced to MV you need to run a Full Sync on the destination MA first so that the objects can be joined by the rule assuming that you already have them all present in the destination MA connector space.

    If thats not the case run a Full Import before the Full Sync on the Destination MA.

    Once they are joined, MIM should know not to provision them again.

    /Peter


    Peter Stapf - ExpertCircle GmbH - My blog: JustIDM.wordpress.com

    • Marked as answer by supebutt007 Wednesday, March 29, 2017 10:36 AM
    Tuesday, March 28, 2017 12:21 PM
  • Thank you Peter! This solved the issue. The objects are joined now and the MIM doesnt want to provision them again. :)
    Wednesday, March 29, 2017 10:38 AM